Loading ...

Play interactive tourEdit tour

Windows Analysis Report https://modoseguranca.com/loader.exe

Overview

General Information

Sample URL:https://modoseguranca.com/loader.exe
Analysis ID:458211
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Machine Learning detection for dropped file
Yara detected Costura Assembly Loader
Binary contains a suspicious time stamp
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 5236 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://modoseguranca.com/loader.exe' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 3924 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://modoseguranca.com/loader.exe' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • loader.exe (PID: 5900 cmdline: 'C:\Users\user\Desktop\download\loader.exe' MD5: 8DF8BD1A1062E051AD3092BF58E69400)
  • loader.exe (PID: 5304 cmdline: 'C:\Users\user\Desktop\download\loader.exe' MD5: 8DF8BD1A1062E051AD3092BF58E69400)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\download\loader.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000006.00000002.472487711.000002228AE82000.00000002.00020000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000006.00000000.211896873.000002228AE82000.00000002.00020000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000008.00000000.233098831.0000020CE4442000.00000002.00020000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            00000006.00000002.473454245.000002228CA81000.00000004.00000001.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              Click to see the 8 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              6.0.loader.exe.2228ae80000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                8.0.loader.exe.20ce4440000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  6.2.loader.exe.2228ae80000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    8.2.loader.exe.20ce4440000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\Desktop\download\loader.exeJoe Sandbox ML: detected
                      Source: unknownHTTPS traffic detected: 45.132.242.60:443 -> 192.168.2.3:49712 version: TLS 1.2
                      Source: Binary string: $VB$ResumableLocal_$VB$Closure_$0_Closure$__12-0_Closure$__14-0_Closure$__19-0$A0_Lambda$__0arg0$VB$ResumableLocal_$VB$Closure_$1_Closure$__14-1_Closure$__19-1_Lambda$__1List`1Resource1$VB$ResumableLocal_assemblytoload$2$I14-2_Lambda$__14-2Microsoft.Win32user32Int32$VB$NonLocal_$VB$Closure_2Dictionary`2$VB$ResumableLocal_ex$3get_UTF8<Module>SetCurrentDirectoryA$VB$Local_BGCSystem.Drawing.Drawing2DES_AWAYMODE_REQUIREDES_SYSTEM_REQUIREDES_DISPLAY_REQUIREDget_FormatIDInstall_DEXECUTION_STATEFH$ILPROCESS_MODE_BACKGROUND_BEGIN$VB$Local_NInstall_NSystem.IO$VB$Local_PQCURSORINFOHELPERCheckDNSIDLE_PRIORITY_CLASSREALTIME_PRIORITY_CLASSHIGH_PRIORITY_CLASSABOVE_NORMAL_PRIORITY_CLASSBELOW_NORMAL_PRIORITY_CLASSES_CONTINUOUSInstall_TWget_Xget_Y_Closure$__value__CosturaProjectDataPacketLibmscorlibStubSystem.Collections.GenericMicrosoft.VisualBasicset_MiscReadThreadLoadAddisAttachedInterlockedcostura.packetlib.pdb.compressedcostura.costura.dll.compressedcostura.packetlib.dll.compressedcostura.options.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedget_GuidReadToEndPacket_Sendhwndset_MethodGetMethod$VB$Local_methodReplaceCreateInstancesourceCompressionModeFromImageDrawImagePrivilegeExchangenullCacheInvokeIDisposableget_HandleRuntimeTypeHandleGetTypeFromHandlehfandlehandleRectangleIsInRoleWindowsBuiltInRoleConsoleget_Nameget_EnglishNameget_OSFullNamefullNameget_UserNameget_ProductNameGetNamerequestedAssemblyNamenameDateAndTimeDateTimeWriteLineIAsyncStateMachineSystem.Runtime.CompilerServices.IAsyncStateMachine.SetStateMachinestateMachineLocalMachineValueTypeSecurityProtocolTypeGetTypePacketTypeset_ContentTypeget_Cultureset_CultureresourceCulturecultureCaptureMethodBaseWebResponseGetResponseCloseDisposeParseCreate$StateEditorBrowsableStateSetThreadExecutionStateWriteSTAThreadAttributeCompilerGeneratedAttributeGeneratedCodeAttributeDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeAsyncStateMachineAttributeDebuggerStepThroughAttributeTargetFrameworkAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeByteGetObjectValueTryGetValueSetValueReadlinevalueSaveadd_AssemblyResolveStub.execbSizeminimumWorkingSetSizemaximumWorkingSetSizeSetProcessWorkingSetSizeSerializeDeserializeSizeOfget_Gifget_Jpegget_PngSystem.ThreadingEncodingSystem.Drawing.ImagingSystem.Runtime.VersioningCompareStringCultureToStringSystem.DrawingAttachVB$StateMachine_19_Launchget_ExecutablePathGetTempPathpathget_Widthget_LengthEndsWithpcipsapi$VB$Local_obj$VB$Local_kChecknullCacheLockRemoveJunkTaskMarshalSystem.Security.PrincipalWindowsPrincipalSystem.ComponentModelkernel32.dlluser32.dllKernelBase.dllntdll.dllset_SecurityProtocolurlReadStreamLoadStreamGetManifestResourceStreamGetResponseStreamDeflateStreamNetworkStreamGetStreamMemoryStreamstreamget_Paramset_ItemSystemEnumresourceManCopyFromScreenget_PrimaryScreenMainAppDomainget_CurrentDomainget_PluginDrawIconget_CurrentRegionget_OSVersionFodyVersionSystem.IO.CompressionApplicationdestinationCopyPixel
                      Source: Binary string: costura.packetlib.pdb.compressed source: loader.exe, 00000006.00000002.473454245.000002228CA81000.00000004.00000001.sdmp, loader.exe, 00000008.00000002.473551888.0000020CE6261000.00000004.00000001.sdmp
                      Source: Binary string: packetlibAcostura.packetlib.dll.compressedAcostura.packetlib.pdb.compressed source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmp, loader.exe, 00000006.00000002.472487711.000002228AE82000.00000002.00020000.sdmp, loader.exe, 00000008.00000000.233098831.0000020CE4442000.00000002.00020000.sdmp, loader.exe.3.dr
                      Source: Binary string: C:\Users\ada\Desktop\definitivo\bb\Client\obj\x64\Debug\Stub.pdb source: loader.exe, loader.exe.3.dr
                      Source: Binary string: C:\Users\ada\Desktop\HorusEyesRat_Public-master\Options\obj\Debug\Options.pdb source: loader.exe, 00000006.00000002.473454245.000002228CA81000.00000004.00000001.sdmp, loader.exe, 00000008.00000002.473605447.0000020CE62D9000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\ada\Desktop\HorusEyesRat_Public-master\Options\obj\Debug\Options.pdbR.l. ^._CorDllMainmscoree.dll source: loader.exe, 00000006.00000002.473454245.000002228CA81000.00000004.00000001.sdmp, loader.exe, 00000008.00000002.473605447.0000020CE62D9000.00000004.00000001.sdmp
                      Source: Binary string: costura.packetlib.pdb.compressed source: loader.exe, loader.exe.3.dr
                      Source: C:\Users\user\Desktop\download\loader.exeCode function: 4x nop then jmp 00007FFAEEF63934h6_2_00007FFAEEF62FE4
                      Source: C:\Users\user\Desktop\download\loader.exeCode function: 4x nop then jmp 00007FFAEEF63934h8_2_00007FFAEEF62FE4
                      Source: unknownDNS traffic detected: queries for: modoseguranca.com
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7cXE9Lw
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.orgZE9Nt
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: wget.exe, 00000003.00000003.207173976.0000000001064000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
                      Source: wget.exe, 00000003.00000002.207518632.0000000000B68000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmp, wget.exe, 00000003.00000003.207173976.0000000001064000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/YE9Mu
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: wget.exe, 00000003.00000003.207173976.0000000001064000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: wget.exe, 00000003.00000003.207173976.0000000001064000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/JN
                      Source: wget.exe, 00000003.00000003.207173976.0000000001064000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: wget.exe, 00000003.00000003.207151341.00000000010A0000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1501491138:AAF0dvh3eYK--fsysD6JFCznVxoTH0
                      Source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1501491138:AAF0dvh3eYK--fsysD6JFCznVxoTH0LE9X
                      Source: loader.exe, loader.exe, 00000008.00000002.473612767.0000020CE62ED000.00000004.00000001.sdmp, loader.exe.3.drString found in binary or memory: https://api.telegram.org/bot1501491138:AAF0dvh3eYK--fsysD6JFCznVxoTH0WZ39I/sendMessage?chat_id=-5070
                      Source: wget.exe, 00000003.00000002.207608952.00000000011A5000.00000004.00000040.sdmp, wget.exe, 00000003.00000003.207173976.0000000001064000.00000004.00000001.sdmp, cmdline.out.3.drString found in binary or memory: https://modoseguranca.com/loader.exe
                      Source: wget.exe, 00000003.00000002.207605003.00000000011A0000.00000004.00000040.sdmpString found in binary or memory: https://modoseguranca.com/loader.exeEE8Px
                      Source: wget.exe, 00000003.00000003.207173976.0000000001064000.00000004.00000001.sdmpString found in binary or memory: https://modoseguranca.com/loader.exeFN
                      Source: wget.exe, 00000003.00000002.207608952.00000000011A5000.00000004.00000040.sdmpString found in binary or memory: https://modoseguranca.com/loader.exeUE9Av
                      Source: wget.exe, 00000003.00000002.207608952.00000000011A5000.00000004.00000040.sdmpString found in binary or memory: https://modoseguranca.com/loader.exeWE8Bx
                      Source: wget.exe, 00000003.00000002.207605003.00000000011A0000.00000004.00000040.sdmpString found in binary or memory: https://modoseguranca.com/loader.exeWE9Cx
                      Source: wget.exe, 00000003.00000002.207605003.00000000011A0000.00000004.00000040.sdmpString found in binary or memory: https://modoseguranca.com/loader.exee
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                      Source: unknownHTTPS traffic detected: 45.132.242.60:443 -> 192.168.2.3:49712 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_00B7E51C3_2_00B7E51C
                      Source: loader.exe.3.drStatic PE information: No import functions for PE file found
                      Source: loader.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal48.evad.win@6/2@1/1
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_01
                      Source: C:\Users\user\Desktop\download\loader.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://modoseguranca.com/loader.exe' > cmdline.out 2>&1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://modoseguranca.com/loader.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\download\loader.exe 'C:\Users\user\Desktop\download\loader.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\download\loader.exe 'C:\Users\user\Desktop\download\loader.exe'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://modoseguranca.com/loader.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Binary string: $VB$ResumableLocal_$VB$Closure_$0_Closure$__12-0_Closure$__14-0_Closure$__19-0$A0_Lambda$__0arg0$VB$ResumableLocal_$VB$Closure_$1_Closure$__14-1_Closure$__19-1_Lambda$__1List`1Resource1$VB$ResumableLocal_assemblytoload$2$I14-2_Lambda$__14-2Microsoft.Win32user32Int32$VB$NonLocal_$VB$Closure_2Dictionary`2$VB$ResumableLocal_ex$3get_UTF8<Module>SetCurrentDirectoryA$VB$Local_BGCSystem.Drawing.Drawing2DES_AWAYMODE_REQUIREDES_SYSTEM_REQUIREDES_DISPLAY_REQUIREDget_FormatIDInstall_DEXECUTION_STATEFH$ILPROCESS_MODE_BACKGROUND_BEGIN$VB$Local_NInstall_NSystem.IO$VB$Local_PQCURSORINFOHELPERCheckDNSIDLE_PRIORITY_CLASSREALTIME_PRIORITY_CLASSHIGH_PRIORITY_CLASSABOVE_NORMAL_PRIORITY_CLASSBELOW_NORMAL_PRIORITY_CLASSES_CONTINUOUSInstall_TWget_Xget_Y_Closure$__value__CosturaProjectDataPacketLibmscorlibStubSystem.Collections.GenericMicrosoft.VisualBasicset_MiscReadThreadLoadAddisAttachedInterlockedcostura.packetlib.pdb.compressedcostura.costura.dll.compressedcostura.packetlib.dll.compressedcostura.options.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedget_GuidReadToEndPacket_Sendhwndset_MethodGetMethod$VB$Local_methodReplaceCreateInstancesourceCompressionModeFromImageDrawImagePrivilegeExchangenullCacheInvokeIDisposableget_HandleRuntimeTypeHandleGetTypeFromHandlehfandlehandleRectangleIsInRoleWindowsBuiltInRoleConsoleget_Nameget_EnglishNameget_OSFullNamefullNameget_UserNameget_ProductNameGetNamerequestedAssemblyNamenameDateAndTimeDateTimeWriteLineIAsyncStateMachineSystem.Runtime.CompilerServices.IAsyncStateMachine.SetStateMachinestateMachineLocalMachineValueTypeSecurityProtocolTypeGetTypePacketTypeset_ContentTypeget_Cultureset_CultureresourceCulturecultureCaptureMethodBaseWebResponseGetResponseCloseDisposeParseCreate$StateEditorBrowsableStateSetThreadExecutionStateWriteSTAThreadAttributeCompilerGeneratedAttributeGeneratedCodeAttributeDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeAsyncStateMachineAttributeDebuggerStepThroughAttributeTargetFrameworkAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeByteGetObjectValueTryGetValueSetValueReadlinevalueSaveadd_AssemblyResolveStub.execbSizeminimumWorkingSetSizemaximumWorkingSetSizeSetProcessWorkingSetSizeSerializeDeserializeSizeOfget_Gifget_Jpegget_PngSystem.ThreadingEncodingSystem.Drawing.ImagingSystem.Runtime.VersioningCompareStringCultureToStringSystem.DrawingAttachVB$StateMachine_19_Launchget_ExecutablePathGetTempPathpathget_Widthget_LengthEndsWithpcipsapi$VB$Local_obj$VB$Local_kChecknullCacheLockRemoveJunkTaskMarshalSystem.Security.PrincipalWindowsPrincipalSystem.ComponentModelkernel32.dlluser32.dllKernelBase.dllntdll.dllset_SecurityProtocolurlReadStreamLoadStreamGetManifestResourceStreamGetResponseStreamDeflateStreamNetworkStreamGetStreamMemoryStreamstreamget_Paramset_ItemSystemEnumresourceManCopyFromScreenget_PrimaryScreenMainAppDomainget_CurrentDomainget_PluginDrawIconget_CurrentRegionget_OSVersionFodyVersionSystem.IO.CompressionApplicationdestinationCopyPixel
                      Source: Binary string: costura.packetlib.pdb.compressed source: loader.exe, 00000006.00000002.473454245.000002228CA81000.00000004.00000001.sdmp, loader.exe, 00000008.00000002.473551888.0000020CE6261000.00000004.00000001.sdmp
                      Source: Binary string: packetlibAcostura.packetlib.dll.compressedAcostura.packetlib.pdb.compressed source: wget.exe, 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmp, loader.exe, 00000006.00000002.472487711.000002228AE82000.00000002.00020000.sdmp, loader.exe, 00000008.00000000.233098831.0000020CE4442000.00000002.00020000.sdmp, loader.exe.3.dr
                      Source: Binary string: C:\Users\ada\Desktop\definitivo\bb\Client\obj\x64\Debug\Stub.pdb source: loader.exe, loader.exe.3.dr
                      Source: Binary string: C:\Users\ada\Desktop\HorusEyesRat_Public-master\Options\obj\Debug\Options.pdb source: loader.exe, 00000006.00000002.473454245.000002228CA81000.00000004.00000001.sdmp, loader.exe, 00000008.00000002.473605447.0000020CE62D9000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\ada\Desktop\HorusEyesRat_Public-master\Options\obj\Debug\Options.pdbR.l. ^._CorDllMainmscoree.dll source: loader.exe, 00000006.00000002.473454245.000002228CA81000.00000004.00000001.sdmp, loader.exe, 00000008.00000002.473605447.0000020CE62D9000.00000004.00000001.sdmp
                      Source: Binary string: costura.packetlib.pdb.compressed source: loader.exe, loader.exe.3.dr

                      Data Obfuscation:

                      barindex
                      Yara detected Costura Assembly LoaderShow sources
                      Source: Yara matchFile source: 6.0.loader.exe.2228ae80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.loader.exe.20ce4440000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.loader.exe.2228ae80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.loader.exe.20ce4440000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.207159939.00000000010A8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.472487711.000002228AE82000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.211896873.000002228AE82000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.233098831.0000020CE4442000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.473454245.000002228CA81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.473551888.0000020CE6261000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.207151341.00000000010A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.472510462.0000020CE4442000.00000002.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.207584319.00000000010A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.207589527.00000000010A8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: wget.exe PID: 3924, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: loader.exe PID: 5900, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: loader.exe PID: 5304, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\Desktop\download\loader.exe, type: DROPPED
                      Source: loader.exe.3.drStatic PE information: 0xE5238D6F [Sat Oct 27 08:33:51 2091 UTC]
                      Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_00B6C459 push edx; retf 3_2_00B6C486
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.19024612271
                      Source: C:\Windows\SysWOW64\wget.exeFile created: C:\Users\user\Desktop\download\loader.exeJump to dropped file
                      Source: C:\Users\user\Desktop\download\loader.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ClientJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ClientJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exe TID: 6020Thread sleep count: 114 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exe TID: 6020Thread sleep time: -114000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exe TID: 5808Thread sleep count: 104 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exe TID: 5808Thread sleep time: -104000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\download\loader.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\download\loader.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\download\loader.exeLast function: Thread delayed
                      Source: loader.exe, 00000008.00000002.473162500.0000020CE46E7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
                      Source: wget.exeBinary or memory string: Hyper-V RAW
                      Source: loader.exe, 00000006.00000002.473080069.000002228B13E000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll X
                      Source: wget.exe, 00000003.00000002.207518632.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll00
                      Source: C:\Users\user\Desktop\download\loader.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: loader.exe, 00000006.00000002.473544152.000002228CB0D000.00000004.00000001.sdmp, loader.exe, 00000008.00000002.473612767.0000020CE62ED000.00000004.00000001.sdmpBinary or memory string: Program ManagerHJ\M
                      Source: loader.exe, 00000006.00000002.473544152.000002228CB0D000.00000004.00000001.sdmp, loader.exe, 00000008.00000002.473612767.0000020CE62ED000.00000004.00000001.sdmpBinary or memory string: Program Manager(
                      Source: loader.exe, 00000006.00000002.473544152.000002228CB0D000.00000004.00000001.sdmp, loader.exe, 00000008.00000002.473392938.0000020CE4B70000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: loader.exe, 00000006.00000002.473364642.000002228B670000.00000002.00000001.sdmp, loader.exe, 00000008.00000002.473392938.0000020CE4B70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loader.exe, 00000006.00000002.473364642.000002228B670000.00000002.00000001.sdmp, loader.exe, 00000008.00000002.473392938.0000020CE4B70000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: loader.exe, 00000006.00000002.473544152.000002228CB0D000.00000004.00000001.sdmp, loader.exe, 00000008.00000002.473612767.0000020CE62ED000.00000004.00000001.sdmpBinary or memory string: program managerX
                      Source: loader.exe, 00000006.00000002.473364642.000002228B670000.00000002.00000001.sdmp, loader.exe, 00000008.00000002.473392938.0000020CE4B70000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: loader.exe, 00000006.00000002.473544152.000002228CB0D000.00000004.00000001.sdmp, loader.exe, 00000008.00000002.473612767.0000020CE62ED000.00000004.00000001.sdmpBinary or memory string: program manager
                      Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeQueries volume information: C:\Users\user\Desktop\download\loader.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\download\loader.exeQueries volume information: C:\Users\user\Desktop\download\loader.exe VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationRegistry Run Keys / Startup Folder1Process Injection2Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsTimestomp1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 458211